Warning: Permanently added '10.128.15.197' (ECDSA) to the list of known hosts.
syzkaller login: [   62.883145][ T6842] IPVS: ftp: loaded support on port[0] = 21
executing program
[   62.976080][ T6842] ==================================================================
[   62.984459][ T6842] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190
[   62.991468][ T6842] Read of size 8 at addr ffff8880a83f7018 by task syz-executor227/6842
[   62.999678][ T6842] 
[   63.001991][ T6842] CPU: 1 PID: 6842 Comm: syz-executor227 Not tainted 5.8.0-syzkaller #0
[   63.010289][ T6842] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   63.020376][ T6842] Call Trace:
[   63.023655][ T6842]  dump_stack+0x18f/0x20d
[   63.027966][ T6842]  ? hci_chan_del+0x14f/0x190
[   63.032620][ T6842]  ? hci_chan_del+0x14f/0x190
[   63.037623][ T6842]  print_address_description.constprop.0.cold+0xae/0x497
[   63.044643][ T6842]  ? mutex_lock_io_nested+0xf60/0xf60
[   63.050005][ T6842]  ? vprintk_func+0x97/0x1a6
[   63.054605][ T6842]  ? hci_chan_del+0x14f/0x190
[   63.059258][ T6842]  ? hci_chan_del+0x14f/0x190
[   63.063927][ T6842]  kasan_report.cold+0x1f/0x37
[   63.068698][ T6842]  ? hci_chan_del+0x14f/0x190
[   63.073443][ T6842]  hci_chan_del+0x14f/0x190
[   63.077928][ T6842]  l2cap_conn_del+0x61b/0x9e0
[   63.082589][ T6842]  ? l2cap_conn_del+0x9e0/0x9e0
[   63.087415][ T6842]  l2cap_disconn_cfm+0x85/0xa0
[   63.092158][ T6842]  hci_conn_hash_flush+0x114/0x220
[   63.097268][ T6842]  hci_dev_do_close+0x5c6/0x1080
[   63.102198][ T6842]  ? hci_dev_open+0x350/0x350
[   63.106863][ T6842]  ? do_raw_read_unlock+0x70/0x70
[   63.111870][ T6842]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   63.117752][ T6842]  hci_unregister_dev+0x1bd/0xe30
[   63.122760][ T6842]  ? fcntl_setlk+0xf60/0xf60
[   63.127387][ T6842]  ? lock_is_held_type+0xbb/0xf0
[   63.132355][ T6842]  vhci_release+0x70/0xe0
[   63.136662][ T6842]  __fput+0x285/0x920
[   63.140633][ T6842]  ? vhci_close_dev+0x50/0x50
[   63.145290][ T6842]  task_work_run+0xdd/0x190
[   63.149777][ T6842]  do_exit+0xb7d/0x29f0
[   63.153915][ T6842]  ? mm_update_next_owner+0x7a0/0x7a0
[   63.159268][ T6842]  ? vmacache_update+0xce/0x140
[   63.164100][ T6842]  ? lock_is_held_type+0xbb/0xf0
[   63.169512][ T6842]  do_group_exit+0x125/0x310
[   63.174118][ T6842]  __ia32_sys_exit_group+0x3a/0x50
[   63.179208][ T6842]  __do_fast_syscall_32+0x57/0x80
[   63.184208][ T6842]  do_fast_syscall_32+0x2f/0x70
[   63.189053][ T6842]  entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
[   63.195367][ T6842] RIP: 0023:0xf7f5c549
[   63.199406][ T6842] Code: Bad RIP value.
[   63.203447][ T6842] RSP: 002b:00000000ffa0b62c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
[   63.211851][ T6842] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000080fd318
[   63.219803][ T6842] RDX: 0000000000000000 RSI: 00000000080e3220 RDI: 00000000080fd320
[   63.227754][ T6842] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   63.235717][ T6842] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   63.243673][ T6842] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   63.251630][ T6842] 
[   63.253950][ T6842] Allocated by task 1545:
[   63.258272][ T6842]  kasan_save_stack+0x1b/0x40
[   63.262942][ T6842]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   63.268713][ T6842]  kmem_cache_alloc_trace+0x16e/0x2c0
[   63.274066][ T6842]  hci_chan_create+0x9b/0x330
[   63.278721][ T6842]  l2cap_conn_add.part.0+0x1e/0xe10
[   63.283961][ T6842]  l2cap_connect_cfm+0x23b/0x1090
[   63.288978][ T6842]  le_conn_complete_evt+0x1153/0x1740
[   63.294328][ T6842]  hci_le_meta_evt+0x745/0x3ff0
[   63.299167][ T6842]  hci_event_packet+0x2e25/0x87a8
[   63.304171][ T6842]  hci_rx_work+0x22e/0xb50
[   63.308564][ T6842]  process_one_work+0x94c/0x1670
[   63.313479][ T6842]  worker_thread+0x64c/0x1120
[   63.318132][ T6842]  kthread+0x3b5/0x4a0
[   63.322194][ T6842]  ret_from_fork+0x1f/0x30
[   63.326580][ T6842] 
[   63.328900][ T6842] Freed by task 6848:
[   63.332862][ T6842]  kasan_save_stack+0x1b/0x40
[   63.337512][ T6842]  kasan_set_track+0x1c/0x30
[   63.342094][ T6842]  kasan_set_free_info+0x1b/0x30
[   63.347021][ T6842]  __kasan_slab_free+0xd8/0x120
[   63.351870][ T6842]  kfree+0x103/0x2c0
[   63.355741][ T6842]  hci_event_packet+0x3e33/0x87a8
[   63.360742][ T6842]  hci_rx_work+0x22e/0xb50
[   63.365138][ T6842]  process_one_work+0x94c/0x1670
[   63.370093][ T6842]  worker_thread+0x64c/0x1120
[   63.374832][ T6842]  kthread+0x3b5/0x4a0
[   63.378880][ T6842]  ret_from_fork+0x1f/0x30
[   63.383285][ T6842] 
[   63.385595][ T6842] The buggy address belongs to the object at ffff8880a83f7000
[   63.385595][ T6842]  which belongs to the cache kmalloc-128 of size 128
[   63.399639][ T6842] The buggy address is located 24 bytes inside of
[   63.399639][ T6842]  128-byte region [ffff8880a83f7000, ffff8880a83f7080)
[   63.412797][ T6842] The buggy address belongs to the page:
[   63.418412][ T6842] page:0000000097ecbc1c refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a83f7700 pfn:0xa83f7
[   63.429838][ T6842] flags: 0xfffe0000000200(slab)
[   63.434686][ T6842] raw: 00fffe0000000200 ffffea0002a146c8 ffffea00027ea8c8 ffff8880aa040400
[   63.443263][ T6842] raw: ffff8880a83f7700 ffff8880a83f7000 0000000100000003 0000000000000000
[   63.451904][ T6842] page dumped because: kasan: bad access detected
[   63.458286][ T6842] 
[   63.460591][ T6842] Memory state around the buggy address:
[   63.466208][ T6842]  ffff8880a83f6f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   63.474244][ T6842]  ffff8880a83f6f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   63.482281][ T6842] >ffff8880a83f7000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.490341][ T6842]                             ^
[   63.495165][ T6842]  ffff8880a83f7080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   63.503206][ T6842]  ffff8880a83f7100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.511239][ T6842] ==================================================================
[   63.519288][ T6842] Disabling lock debugging due to kernel taint
[   63.528015][   T21] tipc: TX() has been purged, node left!
[   63.539778][ T6842] Kernel panic - not syncing: panic_on_warn set ...
[   63.546390][ T6842] CPU: 1 PID: 6842 Comm: syz-executor227 Tainted: G    B             5.8.0-syzkaller #0
[   63.556097][ T6842] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   63.566562][ T6842] Call Trace:
[   63.569834][ T6842]  dump_stack+0x18f/0x20d
[   63.574142][ T6842]  ? hci_chan_del+0xa0/0x190
[   63.578706][ T6842]  panic+0x2e3/0x75c
[   63.582675][ T6842]  ? __warn_printk+0xf3/0xf3
[   63.587259][ T6842]  ? preempt_schedule_common+0x59/0xc0
[   63.592690][ T6842]  ? hci_chan_del+0x14f/0x190
[   63.597338][ T6842]  ? preempt_schedule_thunk+0x16/0x18
[   63.602697][ T6842]  ? trace_hardirqs_on+0x55/0x220
[   63.607704][ T6842]  ? hci_chan_del+0x14f/0x190
[   63.612350][ T6842]  ? hci_chan_del+0x14f/0x190
[   63.616998][ T6842]  end_report+0x4d/0x53
[   63.621145][ T6842]  kasan_report.cold+0xd/0x37
[   63.625818][ T6842]  ? hci_chan_del+0x14f/0x190
[   63.630466][ T6842]  hci_chan_del+0x14f/0x190
[   63.634956][ T6842]  l2cap_conn_del+0x61b/0x9e0
[   63.639617][ T6842]  ? l2cap_conn_del+0x9e0/0x9e0
[   63.644527][ T6842]  l2cap_disconn_cfm+0x85/0xa0
[   63.649278][ T6842]  hci_conn_hash_flush+0x114/0x220
[   63.654362][ T6842]  hci_dev_do_close+0x5c6/0x1080
[   63.659360][ T6842]  ? hci_dev_open+0x350/0x350
[   63.664029][ T6842]  ? do_raw_read_unlock+0x70/0x70
[   63.669031][ T6842]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   63.674910][ T6842]  hci_unregister_dev+0x1bd/0xe30
[   63.679929][ T6842]  ? fcntl_setlk+0xf60/0xf60
[   63.684494][ T6842]  ? lock_is_held_type+0xbb/0xf0
[   63.689410][ T6842]  vhci_release+0x70/0xe0
[   63.693714][ T6842]  __fput+0x285/0x920
[   63.697681][ T6842]  ? vhci_close_dev+0x50/0x50
[   63.702332][ T6842]  task_work_run+0xdd/0x190
[   63.706807][ T6842]  do_exit+0xb7d/0x29f0
[   63.710957][ T6842]  ? mm_update_next_owner+0x7a0/0x7a0
[   63.716401][ T6842]  ? vmacache_update+0xce/0x140
[   63.721224][ T6842]  ? lock_is_held_type+0xbb/0xf0
[   63.726136][ T6842]  do_group_exit+0x125/0x310
[   63.730700][ T6842]  __ia32_sys_exit_group+0x3a/0x50
[   63.735782][ T6842]  __do_fast_syscall_32+0x57/0x80
[   63.740777][ T6842]  do_fast_syscall_32+0x2f/0x70
[   63.745598][ T6842]  entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
[   63.751899][ T6842] RIP: 0023:0xf7f5c549
[   63.755933][ T6842] Code: Bad RIP value.
[   63.759970][ T6842] RSP: 002b:00000000ffa0b62c EFLAGS: 00000296 ORIG_RAX: 00000000000000fc
[   63.768351][ T6842] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000080fd318
[   63.776296][ T6842] RDX: 0000000000000000 RSI: 00000000080e3220 RDI: 00000000080fd320
[   63.784240][ T6842] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   63.792185][ T6842] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   63.800257][ T6842] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   63.809757][ T6842] Kernel Offset: disabled
[   63.814076][ T6842] Rebooting in 86400 seconds..